Heartbleed - Shit happens

Details

Created: 09 April 2014

Last Updated: 11 May 2014

Hits: 789

Heartbleed is a coding bug in the OpenSSL component, which allows to get the OpenSSL heartbeat to expose sensitive data. There are a lot of reasons to use OpenSource but unfortunately this issue also uncovers a major drawback.

1) Nobody knows whether the private key was already disclosed. So every provider has to create a new private key in order to be on the safe side.

2) Nobody knows which software uses the buggy OpenSSL version. There are a lot of devices out there which use Linux as their operating system. If they have to provide scurity there is a high chance they use OpenSSL. Linux is also very popular to be used on servers by providers and also in a lot of other products like internet routers. It's just the amount of devices which are a security rsik - given they use OpenSSL.

3) Just a couple of weeks ago ther was a security flaw detected in AVM/Firtz routers. AVM provided updates very fast and will publish another update regarding this OpenSSL issue very soon. Will be interesting to see the update policy of other router providers and internet providers.

As an analogy - there exist a lot of frontdoors in houses, which are based on Linux and which tell an intruder the exact details to create a duplicate key. Because nobody knows whether he's already compromized everybody has to replace the doorlock.